CyberSecurity News Byte

Hosted ByJim Guckin

Welcome to CyberSecurity News Byte with Jim Guckin, your one-stop resource for the latest cybersecurity news, updates, and discussions. Our podcast is a vital tool for CyberSecurity and IT professionals, as well as technology leaders, who need to stay on top of the ever-evolving digital landscape.

Episode 22: June 13 2022

Bullet points of key topics + chapter markers
[00:36] HelloXD Ransomware Installing Backdoor on Targeted Windows and Linux Systems
[07:20] Iranian Hackers Spotted Using a new DNS Hijacking Malware in Recent Attacks
[13:10] Chinese Hackers Distribute Backdoored Wallets for iOS and Android Users
[19:57] New Botnets Target Critical Vulnerability in Confluence Servers

Links
https://unit42.paloaltonetworks.com/helloxd-ransomware/
https://thehackernews.com/2022/06/hello-xd-ransomware-installing-backdoor.html
https://malpedia.caad.fkie.fraunhofer.de/details/win.microbackdoor
https://thehackernews.com/2022/06/iranian-hackers-spotted-using-new-dns.html
https://thehackernews.com/2022/06/chinese-hackers-distribute-backdoored.html?&web_view=true
https://cyware.com/news/new-botnets-target-critical-vulnerability-in-confluence-servers-9b210f41
https://cyware.com/research-and-analysis/patch-now-atlassian-confluence-vulnerability-cve-2021-26084-advisory-e7ba
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-26134

HelloXD Ransomware Installing Backdoor on Targeted Windows and Linux Systems

  • HelloXD
    • surfaced in the wild on November 30, 2021
    • deploys a backdoor for persistence
    • impacting Windows and Linux systems
    • code based off of Babuk
  • Double Extortion Group
    • demand cryptocurrency payments by exfiltrating a victim’s sensitive data in addition to encrypting it and threatening to publicize the information.
    • doesn’t have an active leak site
    • negotiations through TOX chat and onion-based messenger instances
  • MicroBackdoor
    • open-source malware
    • used for command-and-control
    • developer says
      • “really minimalistic thing with all of the basic features in less than 5,000 lines of code.”
    • Capabilities
      • browse the file system
      • upload and download files
      • execute commands
      • erase evidence
    • researchers suspected that the deployed
      • to monitor the progress of the ransomware.
  • Palo Alto Networks Unit 42
    • linked to a likely Russian developer
      • online aliases x4k, L4ckyguy, unKn0wn, unk0w, _unkn0wn, and x4km
  • CyberWar Angle
    • different variants of the implant were adopted by the Belarusian threat actor dubbed Ghostwriter
      • against Ukrainian state organizations in March 2022

Iranian Hackers Spotted Using a new DNS Hijacking Malware in Recent Attacks

  • Lyceum
    • AKA: Hexane, Spirlin, or Siamesekitten
    • Iranian state-sponsored threat actor
    • known for targeting the Middle East and Africa
    • new custom .NET-based backdoor
      • DNS Backdoor
        • customized version of the open-source tool ‘DIG.net
  • DNS Attack
    • DNS Hijacking
      • Redirection Attack
      • attacker-controlled DNS server
      • manipulates the response of DNS queries
      • resolves them as per their malicious requirements.
  • Attack
    • macro-laced Microsoft Document
      • “news-spot[.]live
        • Pretends to be a real news site
      • Report about Iran’s Drone Strikes
    • Upon accepting Macro
      • drops the implant to the Windows Startup folder
        • to establish persistence
      • ensure it automatically runs every time the system is restarted.
      • Point DNS traffic to their malicious domain server
        • cyberclub[.]one
        • command-and-control (C2) communications to evade detection
      • It can upload and download files to and from the remote server
      • execute malicious system commands

Chinese Hackers Distribute Backdoored Wallets for iOS and Android Users

  • SeaFlower
    • a technically sophisticated threat actor
    • discovered in March 2022
    • “hint[s] to a strong relationship with a Chinese-speaking entity yet to be uncovered”
      • based on the macOS usernames
      • source code comments in the backdoor code
      • its abuse of Alibaba’s Content Delivery Network (CDN)
  • targeting Android and iOS users
    • mimics official cryptocurrency wallet websites
      • distribute backdoored apps
      • to drain victims’ funds.
        • By exfil the seed phrase
  • Targeted Apps Include
    • Coinbase Wallet
    • MetaMask
    • TokenPocket
    • imToken
  • Attack Vector
    • setting up cloned websites
    • leverages SEO poisoning techniques
    • act as a conduit to download trojanized versions of the wallet apps
      • virtually unchanged from their original counterparts except for the addition of new code designed to exfiltrate the seed phrase to a remote domain
    • target iOS users by means of provisioning profiles that enable the apps to be sideloaded onto the devices.

New Botnets Target Critical Vulnerability in Confluence Servers

  • the exploitation of the flaw CVE-2021-26084 (9.8/10)
    • Confluence Server and Data Center
    • unauthorized attackers to:
      • create new admin accounts, run commands, and take over the server remotely to backdoor publicly exposed servers.
  • Last week zero-day (CVE-2022-26134)
    • Atlassian Confluence by Volexity
    • Remote Code Execution Vulnerability
    • Just one day after being disclosed publicly, the flaw was actively abused and Atlassian released security updates. Further, advised patching installations to prevent ongoing attacks.
    • CISA ordered federal agencies to restrict all internet traffic to Confluence servers on their networks.
  • Botnets
    • Kinsing, Hezb, and Dark[.]IoT
      • targeting exposed Linux servers
        • deliver backdoors and crypto miners.